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Randomness is an important resource for many applications, from gambling to secure commu- 
nication. However, guaranteeing that the output from a candidate random source could not have 
been predicted by an outside party is a challenging task, and many supposedly random sources used 
today provide no such guarantee. Quantum solutions to this problem exist, for example a device 
which internally sends a photon through a beam-splitter and observes on which side it emerges, 
but, presently, such solutions require the user to trust the internal workings of the device. Here we 
seek to go beyond this limitation by asking whether randomness can be generated using untrusted 
devices — even ones created by an adversarial agent — while providing a guarantee that no outside 
party (including the agent) can predict it. Since this is easily seen to be impossible unless the user 
has an initially private random string, the task we investigate here is private randomness expansion. 

We introduce a protocol for private randomness expansion with untrusted devices which is de- 
signed to take as input an initially private random string and produce as output a longer private 
random string. We point out that private randomness expansion protocols are generally vulnerable 
to attacks that can render the initial string partially insecure, even though that string is used only 
inside a secure laboratory; our protocol is designed to remove this previously unconsidered vulner- 
ability by privacy amplification. We also discuss extensions of our protocol designed to generate an 
arbitrarily long random string from a finite initially private random string. The security of these 
protocols against the most general attacks is left as an open question. 



I. INTRODUCTION 

Random numbers are important in a wide range of ap- 
plications. In some, for example statistical sampling or 
computer simulations, pseudo-randomness may be suffi- 
cient. However, in others, such as gambling or cryptog- 
raphy, the use of pseudo-randomness may be detrimen- 
tal — a shrewd adversary might identify and exploit any 
deviation from true randomness. Since quantum mea- 
surements are the only physical processes we know of 
that appear to be intrinsically random, it is natural to 
try to design quantum random number generators. In 
fact, devices which generate randomness through quan- 
tum measurement are commercially available^. However, 
to be convinced that the outputs of these devices are ran- 
dom and private, i.e. unknown to any third party, the 
user must either trust or verify that they are built to a 
specified design. 

It would be desirable if users could instead guaran- 
tee the privacy of their newly generated random strings 
solely by tests on the outputs of their devices. This would 
eliminate the need for a complicated and time-consuming 
verification that the devices are functioning according to 
design and contain no accidental or deliberate security 
flaws. A protocol requiring only tests on device outputs 
is said to be device-independent. 

The notion of device-independent cryptography was 
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first introduced by Mayers and Yao Jj, although with 
hindsight it could be argued that the seed of the idea 
was already implicit in the Ekert key distribution pro- 
tocol [2|. Proving device- independent security of cryp- 
tographic tasks is a challenging task. The first quantum 
key distribution protocol with proven device-independent 
security was devised by Barrett et al. (BHK) [sl^. Al- 
though the BHK protocol provided a crucial proof of 
principle, it achieves provable general security at the 
price of low efficiency. The idea was subsequently devel- 
oped, producing more efficient protocols provably secure 
against restricted classes of attack 0-0 and then against 
general attacks p^| - |T^ ^. 

Here we consider a different task, private random- 
ness expansion. The aim is to use an initially private 
random string to generate a longer one, in a way that 
guarantees that the longer string is also kept private 
from all other parties. In this paper, we investigate the 
task of private randomness expansion within the device- 
independent paradigm. 

This task was first introduced in [isj (the work pre- 
sented here is essentially a condensed version of Chap- 
ter 5 of [l^) and has been subsequently developed |16{ . 



^ See also Ref. [J] for some further details and discussion. 

^ These latter protocols have an important difference from those in 
the former set: they require that at least one of the users ensures 
additional no-signalling conditions that require multiple isolated 
regions within their laboratories. Specifically, they are valid only 
if (for at least one of the users) each input is made to a separate 
device unable to communicate with the others. 



2 



In the latter work, Pironio et al. analyse a protocol re- 
lated to the one in [l^ (they use the CHSH inequality 
instead of GHZ tests) and present a security analysis for 
a restricted class of attacks (ones in which an adversary is 
forced to measure any quantum systems they hold prior 
to performing privacy amplification). Furthermore, they 
report an experimental demonstration of their protocol. 

Quantum private randomness expansion is an impor- 
tant cryptographic task in its own right, but also has 
some features in common with quantum key distribution, 
so device-independent protocols and security proofs for 
this task should also shed light on analogous results for 
quantum key distribution. Conversely, any secure pro- 
tocol for device-independent key distribution that gener- 
ates a secret key longer than the amount of randomness 
used in the protocol could also be used for randomness 
expansion by performing both sides of the key-generation 
protocol in a single laboratory. Candidate protocols of 
this type have recently been proposed (see above); at 
present they require a large number of isolated devices 
(cf . Footnote [3]) . Obviously, it would be preferable not 
to require this practically challenging constraint, all else 
being equal.'* 

There is one significant new insight in the present work 
that has not appeared previously: the protocols given 
in [l^ and [l^ are not secure in a composable way. On 
the contrary, there are quite plausible scenarios in which 
the final private random string output by these proto- 
cols can become partly compromised, in which case the 
protocol is evidently insecure. The protocol we present 
here has hence been slightly modified from the one given 
in [l^ (see Section HVl for further explanation).^ 

Our protocol is intended to allow an honest user. Bob, 
to input a sufficiently long initial private random string 
to devices constructed by a potential adversary. Eve, and 
obtain as output a finite longer private random string. 
We also propose using this protocol within an extended 
one to allow an initial private random string to generate 
an arbitrarily long private random output string. Our 
extended protocol has the undesirable feature of requir- 
ing a large number of devices (dependent on the amount 
of expansion required) which must be prevented from 
communicating with one another. In both protocols, the 
length of initial string required depends on the tolerance 
for risking successful cheating by Eve. Neither protocol 
is optimized for efficiency. 

Proving security of our protocols against the most gen- 
eral possible attacks remains an open question. The 
aim of this work is rather to introduce the task, to pro- 
pose some candidate protocols for its solution, and to 
explain some intuitions that suggest they are good can- 



* Analyzing these recent protocols and their implications for ran- 
domness expansion goes beyond the work reported here; however, 
readers should be aware of their existence. 

^ The protocol in [l6j can also be modified to deal with this security 
loophole, as we discuss in Footnote 1271 below. 



didates to examine further. In so doing we should stress 
that, while the history of quantum cryptography shows 
that initially unproven intuitions can spark major ad- 
vances — indeed the subject was originally founded on 
such intuitions [Si — it also shows that they should 
be approached critically and finally accepted only if and 
when proven. 

II. PRELIMINARIES 
A. Assumptions 

We make the following assumptions: 

1. Bob's laboratory is secure. In particular, secret 
messages cannot be sent from Eve's devices, once 
within his laboratory, to the outside world^, and 
Eve cannot probe his laboratory from outside. 

2. Bob can isolate any devices in his laboratory, pre- 
venting them from sending any signal outside an 
isolated region.'' 

3. Bob has secure classical information processing de- 
vices*, with secure authenticated classical commu- 
nication between them within his laboratory.^ In 
particular. Eve's devices are unable to spoof classi- 
cal communications within Bob's laboratory; they 
can output to Bob's classical devices only via pre- 
scribed channels. 

4. Eve is constrained by the laws of quantum theory. 

5. All communication channels and devices operate 
noiselessly^'^. 

Note that we do not include the common assumption 
that Bob has complete knowledge of the operation of 
the devices he uses to implement the protocol. Instead, 
we suppose that all quantum devices were sourced from 



^ Without this, the task is impossible, since the devices could sim- 
ply broadcast their inputs and outputs. 

For example, by placing them each in their own sub laboratory. 
Alternatively, when it is sufficient to prevent communication be- 
tween the devices during a protocol of finite duration, if we as- 
sume the impossibility of faster-than-light signalling, Bob can 
isolate the devices by placing them at appropriately space-like 
separated locations during the protocol. (Bob could ensure such 
separation using trusted classical clocks and rulers.) 
* If Bob cannot trust any classical information processing de- 
vice — including his own brain — then he is beyond the help of 
cryptographers . 

® Since Eve's devices can be isolated (cf. Assumption[2]l, we assume 
that any authentication procedures used do not need to consume 
secret randomness; of course, if they do, this randomness should 
be included in the accounting. 

" This assumption is in practice unrealistic and one would hope to 
eventually drop it. Its main purpose is to keep the protocols and 
security proofs as simple as possible in the first instance. 
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an untrusted party, Eve, who may construct them using 
complete knowledge of Bob's protocol. From Bob's per- 
spective, these devices are simply black boxes with inputs 
and outputs. 

We briefly consider weakening the assumption that Eve 
is constrained by quantum theory at the end of the paper. 



B. Non-classical correlations 

Bob will want to perform tests on the devices supplied 
by Eve. We assume Bob's testing protocol is known pub- 
licly, and in particular is known to Eve, but that it may 
involve random inputs which are not known to Eve. In- 
deed, a little thought shows that this is essential for any 
unconditionally secure protocol. Without private ran- 
dom inputs, Eve knows Bob's entire protocol. To be 
useful, the protocol must have at least one valid set of 
outputs. Eve can then calculate such a set in advance 
and supply her devices with classical records of these pre- 
calculated outputs, thus ensuring both that the devices 
pass Bob's tests and that she knows in advance all the 
data they generate for Bob. Clearly, Bob cannot generate 
any private random data in this scenario. 

We thus assume that Bob begins with a private ran- 
dom string, and is interested in generating a longer one, 
i.e. in private randomness expansion. He needs to ensure 
that Eve cannot pre-calculate classical data that she can 
supply to her devices in order to pass his tests — otherwise 
she can predict all the output data that will be generated 
for any given random input, and so he cannot generate 
any new private randomness. Bob must thus ensure that 
his tests cannot be passed (except perhaps with a small 
probability) by devices whose outputs can be described 
by a local hidden variable model. To do so. Bob needs 
to perform some form of Bell test, in which the devices 
are prevented from signalling to one another, either by 
physical barriers or by being space-like separated, to en- 
sure the presence of non-classical correlations. Secure 
private randomness expansion is thus impossible without 
Bell tests. 

Our intuition is that, conversely, in suitable protocols. 
Bell tests make private randomness expansion possible. 
Roughly speaking, the underlying idea is that states that 
produce non-classical correlations possess some intrinsic 
randomness, uncorrelated with any other system in the 
universe. So, by verifying the presence of such correla- 
tions. Bob can be sure that Eve's devices are using such 
states and hence that he derives genuine private random- 
ness from them. The hypothesis is then that, in order to 
pass Bob's verification with a significant probability of 
success, Eve's strategy must be so close to the honest 
one that she cannot gain significant information about 
Bob's newly generated private randomness. 

The protocols used in this work are based on the fol- 



lowing test, which we call a GHZ test [l^"'^"'^. Bob asks for 
three devices, each of which has two settings (which we 
label Pi and Qi for the ith device) and can output either 
1 or — 1 . We use pi and qi to denote the values of the out- 
puts when inputs Pi and Qi are made. Bob chooses one 
of the four triples of settings given by P1P2P3, P1Q2Q3, 
Q1P2Q3 arid Q1Q2P3, obtaining a result given by the 
product of outputs corresponding to the specified inputs: 
for example, if his inputs are P1P2P3 he obtains outcomes 
Pi, p2 and P3. He demands that the product P1P2P3 is 
— 1, while pig293, <liP2<l3 and 9192^3 are That these 
cannot be satisfied by a classical assignment [l^ can be 
seen by considering the product of the four quantities. 
According to Bob's demands, this must be —1, while the 
algebraic expression obtained by a classical assignment 
is PipIpI'?!'?!'?!: which must be -1-1. If, instead, the {pi} 
and {qi} are obtained from the outcomes of measure- 
ments acting on an entangled quantum state, then Bob's 
demands can always be met. In the Appendix, the com- 
plete set of operators and states which do this is derived. 
In essence, all such operators behave like Pauli <Jx and 
ay operators and the state behaves like a GHZ state, 
4= (|000) — |111)), up to local unitaries. 



III. PRIVATE RANDOMNESS EXPANSION 

A. Security Definitions 

In this section, we define what it means for a string 
to be private and random. We say that S' is a private 
random string with respect to a system E if the joint 
state of the string and E takes the form 

PSB := ^I^kKsl^-f^B, (1) 

for some state as, where the sum runs over all possible 
instances, s, of the string S and the superscript / stands 
for "ideal" The key properties of this state are that 
the E system is uncorrelated to S, and that the possible 
instances of s are uniformly distributed. 

In practice, it will not be possible to guarantee a state 
of this form. Instead, we may have a state 

PSE--^Y.Ps{s)\')^s\®p^E. (2) 

s 

where the superscript R stands for "real". We say 

that the string S in this state is a S-private random 



Other tests of non-locality could also be used, some of which are 
discussed in Section |V] (see also [T6|). 

A note on notation: we tend to use upper case letters to denote 
random variables and lower case letters for particular instances 
of these random variables. For random variable X, we use \X\ 
to denote the number of possible outcomes of X. Thus, \S\ = 2" 
for a bit string S of length n. 
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string with respect to E if there exists a as such that 
D{Pse^Pse) < where -D(p,r) := itr|p - r| is the 
trace distance. The trace distance is related to the opti- 
mal probability of guessing which of two states one has. 
Its operational significance is that if D{p, t) < S, then no 
physical procedure allows one to distinguish between p 
and T with success probability greater than S. Moreover, 
since the trace distance is non-increasing under quan- 
tum operations [2d| . this condition must persist when 
the string is used in any application. 

In private randomness expansion, typically the raw 
outputs of the devices are not i5-private for a sufficiently 
small 6, and require privacy amplification in order to re- 
duce S to an acceptable level for security. This is de- 
scribed in detail in the next subsection. 

It is impossible to devise a finite device-independent 
cryptographic protocol that guarantees non-trivial secu- 
rity for any task with complete certainty. Eve can always 
follow the strategy of guessing the random input string 
and supplying appropriate pre-computed outputs: this 
has a nonzero probability of success. In particular, it is 
impossible to construct a private randomness expansion 
protocol that guarantees that the final string is ^-private 
(for small S) against an arbitrary attack by Eve. Our 
security criterion thus involves two parameters. We de- 
mand that for any strategy chosen by Eve, the a priori 
probability that the protocol does not abort and the fi- 
nal string is not (5-private is at most C, where 6 and ^ are 
suitably small. We say that a protocol with this property 
is a (^-secure protocol that generates a (5-private string^"^. 
Since S and C are small. Eve has only a small probability 
of learning a significant amount of information about the 
final string without causing the protocol to abort. 



B. Privacy Amplification 

Privacy amplification takes an initial string, X' , about 
which a potential adversary has partial knowledge, E, 
and compresses it to a shorter string, S, which is ap- 
proximately uniformly distributed and independent of 
the adversary's knowledge. This typically requires some 
additional randomness, R, to select the function, /, from 
some set of functions, used for the compression. The 
idea is that by choosing the set appropriately, the final 
string, S, is very close to being private and random (ac- 
cording to the definition given in the previous section). 
Furthermore, we require that the string S is very close 
to independent of the randomness, R, used to choose the 
function. 

Privacy amplification was first studied in the case 
where the adversary's knowledge, E, is classical (see for 
example [2l| - [23t ) and was later extended to the case 



of quantum knowledge [23 - l26j . In the latter works, it 
was shown that the length of extractable private random 
string can be characterized in terms of the smooth con- 
ditional min-entropy of the initial string, X' , given the 
knowledge, E, the quantum version of which was first 
introduced in [26| . 

The smooth min-entropy can be defined not only for 
strings, X' , but for any quantum state on a system, B. 
We first define the non-smooth min-entropy of B given 
E for a state pbe- 

Hniin{B\E) p :— max sup{A e R : 2-^1 ®(TE> pbe], 

where the maximization is over normalized density oper- 
ators, oe- The e-smooth conditional min-entropy of B 
given E is then defined by 

H^-^^{B\E)p maxi7,„in(B|i;)p, (3) 

Pbe 

where the maximization is over a set of positive (and 
potentially sub-normalized) operators e-close to p with 
respect to some distance measure^^. 

We consider the use of two-universal hash functions for 
privacy amplification which are defined as follows (28l . [29| : 

Definition 1. A set of functions, J- from X' to S is 
two-universal if when fr (z J- is picked using a uniform 
random variable R, for any distinct instances, x[ and 
of X' , the probability that they give the same values of 
S is at most ^, i.e., < 

We remark that other appropriate functions could be 
used instead — we would like a class of functions with 
the fewest members. In particular, privacy amplification 
schemes based on Trevisan's extractor |30'] have recently 
been shown to be secure even when the information E 
is quantum, and in general require a shorter seed than 
schemes using two-universal hash functions jsi'] . To sim- 
plify the discussion, given that we do not analyse opti- 
mality or security against general attacks, we focus on 
two-universal hashing here. 

Including the classical spaces used to define the string, 
X', and the random string used to choose the hash func- 
tion, R, the state we have prior to privacy amplification 
has the form 

PX'ER — J2PR{r)Px'ix')\x'){x'\(i^pi \r){rl (4) 

r,x' 

where PR,{r) — j^. After applying the hash function 
/,■ e J-', the state takes the form 

PSEB. — J2PB.ir)Ps{s)\s){s\(^p''/^\r){rl (5) 



A protocol that never aborts is thus (^-secure if the a priori prob- 
abihty that the final string is 5-private is at most ^. 



Various distance measures have been used in the past. One popu- 
lar approach is to use the purified distance, which is the minimum 
trace distance over purifications of the involved states (see [27| 
for further details). 
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where Psis)p''jf = T.x':U(x')=sPx'[x')pi. Ideally, the 
state of the system in T-Lg would look uniform from Eve's 
point of view, even if she were to learn R (functions for 
which this property holds are sometimes called strong ex- 
tractors). The variation from this ideal can be expressed 
in terms of the trace distance between the state and an 
ideal, 

D{PSER,TS cter) , (6) 

where ts is the maximally mixed state in Us and (Ter^ 
is an arbitrary state. This distance is bounded in the 
following theorem [26| . 

Theorem 1. If fr is chosen from a two-universal set of 
hash functions, JF , using a uniform random string, R, 
which is uncorrelated with S and E, and is used to map 
X' to S as described above, then for \S\ = 2* and e > 0, 
we have 

mini?(ps£i?,Ts®a£fl) < 6+^2-5 K.„(^'|S)-0. (7) 

Hence, if Bob chooses t = H^^^{X'\E) — £, for some 
^ > 0, he can use a random string, R, to compress his 
string, X' , which is partly correlated with a quantum 
system held by Eve, to a (5-private string, S, for some 
6 < e+ i2-i 

We remark that privacy amplification is usually dis- 
cussed in a three party scenario, in which Alice and Bob 
seek to generate a shared random string on which Eve's 
information is negligible. Alice and Bob are required to 
communicate during the amplification stage, and thus 
leak information (in our case the random string R) about 
the amplification process to Eve. Private randomness ex- 
pansion, on the other hand, is a task involving only Bob, 
who aims to generate data secret from Eve. No infor- 
mation need be leaked in amplification since there is no 
second honest party needing to perform the same proce- 
dure. The random string R hence remains private with 
respect to Eve^^. 



IV. PROTOCOLS 

We begin this section by giving a protocol which is de- 
signed to allow a private random string to be expanded 
by a finite amount. Before performing the protocol. Bob 
asks Eve for three devices, each of which has two set- 
tings (inputs), {Pi and Qi for the ith device) and can 
make two possible outputs, +1 or —1. Bob asks that 
whenever these devices are used to measure one of the 
four GHZ quantities {P1P2P3, P1Q2Q3, Q1P2Q3 and 



In principle, Eve can gain a little information about R if and 
when she learns S, but only within the tight privacy bounds 
implied by JS} and (0. 



Q1Q2P3), they return outcomes with the properties spec- 
ified in Section H] (i.e., whose products are —1, -1-1, -1-1 
and -1-1 respectively)^^. Furthermore, he asks that these 
devices can satisfy these conditions without communicat- 
ing. We call these three devices taken together a device 
triple. Bob uses his device triple in the following proto- 
col. 



Protocol 1 

This protocol depends on parameters C ^ and S > 
and can be applied to an initial private string X^'' . 
Although we express it for the case of GHZ tests and 
two-universal hashing, it is easily adapted to other Bell 
tests or privacy amplification functions. 

1. Bob sets up the device triple such that the devices 
cannot communicate with one another (cf. Assump- 
tion[2|), nor send any information outside Bob's lab- 
oratory (cf. Assumption [Ij . 

2. Bob divides his string X into two strings Xi and R 
(the relative lengths of these strings depends on the 
choice of function used for privacy amplification in 
Step El). 

3. Bob uses two bits of Xi to choose one of the four 
tests which he performs, ensuring that each device 
learns only its input (and not the whole string Xi). 
He brings all the output bits together. 

4. If he receives the wrong product of outputs, he 
aborts^®, otherwise he turns his output into two 
bits using an appropriate assignment (for each test 
there are four possible valid output combinations). 
In this way. Bob builds a random string X . 

5. Bob repeats steps [3] and [5] until he has exhausted 
Xi. 

6. Bob concatenates Xi and X to form a new string 
X' . He computes a suitable value 7 :— j{\Xi\,(,S), 
where \Xi \ is the number of possible input strings, 
S is the desired privacy parameter for the output 
string, and C is the a priori risk he will tolerate 



^° In practice, Bob might ask for devices that measure either ax or 
(Tz, and for a further device that creates GHZ states. However, 
he will not be able to distinguish such devices from another set 
satisfying the test but using a different set of states and oper- 
ators. We have kept the description in terms of things he can 
verify. 

For any finite length of initial string, there will be minimum 
values of C and S below which the protocol never increases the 
length of the string. 
^® In a more general protocol tolerating noise, Bob need not abort. 
Instead, he would collect statistics on when the devices generate 
outcomes with the wrong product, and use these to bound the 
min-entropy in Step [6] 
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FIG. 1: Diagram of the steps in Protocol 1. Together devices 
1-3 form a device triple. They are prevented from commu- 
nicating with one another (depicted by the walls) or to the 
outside world (Eve). Each device learns only the set of inputs 
it is supplied with. 

that the output string is not (5-private^^. He per- 
forms privacy amplification on X' to form a string 
of length log 15*1 = 7 bits which, with a priori 
probability greater than (1 — (^), is (5-private. In 
the case of two-universal hashing, R and X' have 
equal length [2^ [2^^° and so Bob should partition 
X = {Xi,R) such that 21og2 \Xi\ = log|i?|. 

7. The protocol's output is the concatenated string 
{S,R). 

The entire setup is shown in Figure [TJ 

If Eve is constrained by quantum theory, then the only 
way she can be certain to pass all of Bob's tests is if the 
joint state shared by the devices is pure and generates un- 
biased outcomes (see the Appendix) . This strategy gives 
no information to Eve. Moreover, in this case, two bits 
of Xi generate two new bits of randomness each time 



In noise-tolerant protocols, 7 := ')(\X\\,T,C,,5), where T is the 
number of tests passed. In either the noiseless or the noise- 
tolerant case, finding an explicit form of the function 7 that 
provably has the desired properties remains an open problem: 
see the comments later in this section. Note also that 7 may be 
zero if any of the parameters are too small. 

More recently, it has been shown that a shorter R roughly equal 
to the size of the output, S, can be used [3^ . In the context of 
the present protocol, unless there are significant levels of cheating 
or noise, we do not expect that this will have a significant effect 
on the rate. 



the loop is performed. This is an attractive feature of 
the GHZ-based protocol: the same operations are used 
both to test security and to generate new random bits. 
Furthermore, if Bob trusts Eve, he can forego the pri- 
vacy amplification step and the shorter protocol is very 
efficient, doubling the length of the random key. 

That said, of course, the aim is to protect Bob against 
a potentially dishonest Eve who can prepare the devices 
to include any quantum systems, which may be entangled 
with one another and also with an ancillary system kept 
under Eve's control. She may also prepare the devices 
with any quantum program to produce outputs from in- 
puts^ ^. 

It remains an open problem to find a function 
7(|Xi|,^,(5) (or 7(|Xi|,r, (^,(5) in the noise-tolerant case) 
such that the protocol is ^-secure. Since Eve is con- 
strained by quantum theory, the joint quantum state 
of the system Bob uses to store X' and Eve's systems 
has the form "^^i Px'{x')\x'){x'\ ® prior to privacy 
amplification. Here, the information, E, should include 
any additional information about the protocol that Eve 
might possibly infer from data that Bob is not required 
by the protocol to keep private (and in realistic applica- 
tions may not necessarily be able to keep private): for 
example, the length of the final private random string, 
whether the protocol aborted, or how many rounds were 
performed^^. 

We would then like a statement which says that, for 
any C > 0, there exists some calculable £ > such that, 
for any strategy used by Eve, we have p < Cj where p 
is the probability (averaged over all possible initial ran- 
dom strings X) that (i) the protocol does not abort and 
{a) the min-entropy fails to satisfy H^-^{X'\E) > 7 — 
Conversely, if the min-entropy satisfies this bound, it fol- 
lows that the string S (of length 7) formed by hashing 
X' is (5-private for 6 = {e + ^2~i) (see Theorem [T])^^. 

Intuition suggests — as a working hypothesis awaiting 
full analysis — that, in order to ensure a reasonable prob- 
ability of the protocol not aborting. Eve cannot deviate 
much from her honest strategy, and so the string pro- 
duced by a successful run of the protocol almost certainly 
satisfies H^^^{X'\E) < 2 log2 \Xi \ for some suitably small 
e. The length of the final output string would then be 
log2 \R.\ + t « I log2 \X\ — £, i.e. the protocol would in- 



In principle. Eve may also design the devices so as to attempt 
to send any quantum signals to one another, according to any 
algorithm of her choice. However this is pointless if, as in our 
protocol. Bob prevents such signalling. 

One can imagine scenarios in which no such information is in fact 
ever leaked to Eve. However, for unconditional and composable 
security, Bob's final string should remain private and random 
even if such information becomes known to Eve. See the dis- 
cussion at the end of this section for some realistic scenarios in 
which this concern applies. 

Since it is only quantum devices that are supplied by Eve, and 
hashing is a classical procedure, there is no security issue associ- 
ated with this step. 
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crease the length of the string by a factor close to | . (For 
a long enough initial string, a given level of security can 
be achieved with £ -C logj |-^|-) 

It is important to note that the string generated by 
our protocol, although private with respect to Eve, is 
not private with respect to the devices, which could be 
programmed to remember their output bits. The gen- 
erated random string thus cannot be treated as defining 
an effectively independent new input string for the same 
devices. Furthermore, it is important that Bob prevents 
the devices from sending signals outside his laboratory 
until the private randomness is no longer required. 

Attacks on the initially private string 

In earlier work on randomness expansion [isl [l6| it 
was argued that there is no need to include Xi in the 
string undergoing privacy amplification, the argument 
being that since Xi is only used to do operations within 
Bob's laboratory, it always remains secure against the 
outside and hence can be included in the final private 
string without any processing. However, we argue here 
that there are reasonable scenarios in which, on the con- 
trary. Eve could learn part of Xi despite the security of 
Bob's laboratory. Protocols in which Xi is left unpro- 
cessed in the final string do not have universally compos- 
able security, and indeed are evidently insecure in some 
reasonable applications. 

We illustrate this point by giving a particular strategy 
which gives Eve a significant probability of learning some 
bits of Xi. Suppose Eve programs the devices such that 
the protocol aborts unless a set of m specified bits of Xi 
take specific values'^"*. For small m. Eve can ensure the 
devices behave in this way while keeping the probability 
of the protocol not aborting significantly above zero. If 
the string Xi remained a truly a private random string, 
this property should persist if Bob announces whether 
the protocol aborted or not (see also Footnote [H]). How- 
ever, if Eve uses this strategy, the knowledge that the 
protocol did not abort would convey to Eve the values of 
the m specified bits of Xi^^. 

To make this point more concrete, imagine that Eve 
knows that Bob's casino relies on purportedly private 
random bits that are output from this protocol for 
tonight's operations. If the protocol aborts. Eve knows 



Eve can do this by fixing prc-spccificd outputs whose product 
is —1 for these bits, so that they are vahd outputs for input 
P1P2P3 but not for any other input. Alternatively, she can pre- 
specify outputs that are invalid: for example, the devices could 
be programmed to output 2 (or to fail to make an output) for 
any input except PiQ'zQa- 

Eve also has more general attacks of this type that allow her 
to learn some information about some bits: for instance, she 
can pre-specify some outputs whose product is 1, which will be 
valid for inputs P1Q2Q3, Q1P2Q3 and Q1Q2P3 but will cause 
an abort (in the noiseless case) if the input is Pi P2 P3 . 



the casino will not open tonight. However, there is a 
significant chance that the protocol will not abort, and 
the casino will open tonight. Moreover, Eve knows that, 
if the casino does open, it will continue to run until the 
purportedly private random bit string that Bob has gen- 
erated is exhausted. Eve can thus gain information about 
some bits conditioned on the casino opening, or staying 
open, and profitably bet on the relevant bits. Clearly, 
this is not consistent with a sensible definition of private 
randomness. Note that the protocol in [l^ is equally 
vulnerable to attacks of this kind^^. 

In our protocol, the idea is to avoid this problem by 
performing privacy amplification on Xi as well as on X. 
Another possible strategy is to look for protocols that are 
efficient enough in generating new randomness that even 
if Xi is discarded prior to privacy amplification, the fi- 
nal private random string is longer than the original. The 
original random string can then simply be discarded after 
use. Protocols based on higher dimensional generaliza- 
tions of the GHZ test appear to be good candidates of 
this type (see the next section). Other classes of can- 
didates are protocols in which the inputs to the devices 
correspond to tests only on a relatively small (randomly 
chosen) subset of the rounds, with deterministic inputs 
used for the remainder, or to protocols in which the in- 
puts are chosen with a non-uniform distribution that re- 
quires a relatively small amount of randomness to sample 
from.^'' 



Iteration via Isolation 

The protocol we have presented aims to expand a fi- 
nite initial random string by a finite additional amount. 
However, it is natural to ask whether indefinite expan- 
sion of a finite random string is possible. We now present 
an extended protocol which suggests that this may, in 
principle, be achievable^*. However, this protocol has 
the disadvantage that it requires a large number of ad- 
ditional devices. In the extended protocol. Bob asks Eve 
for N device triples and arranges them such that no two 



Strictly speaking, as presented, the protocol in [l^ never aborts, 
although it may fail to increase the length of the initially private 
random seed string. However, it is vulnerable to an attack in 
which Eve uses the length of the final generated key to infer 
information about the purportedly still private random seed. A 
fix for this is discussed in the following footnote. 
This tactic is used in the protocol in |la |. Although, as presented, 
the protocol in [Tfll is vulnerable to the attack discussed here, 
this could be fixed by simply discarding the relevant part of the 
initial string. Doing so makes the potential insecurity of the 
initial string irrelevant, but of course may significantly affect 
the accounting in practical implementations. For example, if 
applied to the reported experiment in [T^ . it would mean the 
final private random string produced is actually shorter than the 
initial private random string. 

Again, we stress that rigorous analysis remains a task for the 
future. 
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can communicate, e.g. by placing them in their own sub- 
laboratories. He then performs Protocol 1 using the first 
device triple, generating a new string (S*, R). This is then 
used to perform Protocol 1 on the second device triple 
and so on^^. To get started, this extended protocol re- 
quires that the initial private random string is sufficiently 
long that it can be securely expanded. 



V. TESTS BASED ON OTHER CORRELATIONS 

In this section we discuss some alternative ways of con- 
straining Eve rather than demanding that her outputs 
satisfy GHZ tests, with a view to improving the rate 
(i.e., the length of private random string generated by a 
given length of initial private random string) while keep- 
ing the number of devices required relatively small. One 
promising family of correlations come from direct gen- 
eralizations of the GHZ correlations to more parties, as 
conceived by Pagonis, Redhead and Clifton (PRC) [33l |. 
Their family of tests is such that in the fcth version of 
this test, 4fc — 1 devices are required to measure one of 4fc 
quantities (i.e., log2(4fc) bits of randomness are required 
per test), while generating 4fc — 2 bits of randomness. 
(The case k — 1 corresponds exactly to the GHZ test.) 

For example, in the case fc = 2, Bob asks for seven of 
the two-input, two-output devices discussed previously 
and considers measuring one of the the eight combina- 
tions 

P1Q2Q3Q4Q5Q6Q7, Q1P2Q3Q4Q5Q6Q7, 
Q1Q2P3Q4Q5Q6Q7, Q1Q2Q3P4Q5Q6Q7, 
Ql(32Q3<34^5Q6<37, Q1Q2Q3Q4Q5P6Q7, 

Q1Q2Q3Q4Q5Q6P7, PiP2P3P4P5PqP7- 

He demands that the products of the outputs for the 
first seven combinations are always -1-1 and for the last 
combination, the product of the outputs should be —1. 
This can be achieved using PRC's 7-party generalization 
of the GHZ state. For this test, 3 bits of randomness are 
required to choose amongst the eight settings, while in 
a successful implementation of the test on this state, 6 
bits of randomness are generated by the output. If Bob 
trusts Eve, the private random string is tripled in length 
and for larger fc, the expansion is even more dramatic. 

Such tests thus look like very good candidates for 
private randomness expansion. However, of course, we 
still need to introduce privacy amplification to protect 
Bob against a dishonest Eve. Using logjl^i] bits of 
private randomness we can perform tests, gen- 

erating (approximately) j^-^^^i'^k — 2) new bits. If 
one uses two-universal hashing for privacy amplification. 



then in order to choose the hash function, we require 
i°g2l^il (4fc _ 2) + log, \X, I bits. We also have 



log2 1^1 = 



log2(4fc) 



■.2\Xl\ 

, hence the length of fi- 



2fc-l 



— log2 \X\ bits 



log2|X| = logalXil +log2|i?| 
nal string is (approximately) iog^(4fc)+2fc-i ^"s>2 
longer than the original. Hence, in the limit of large fc, 
we would intuitively expect the analogous protocols to 
roughly double the length of private random string. Fur- 
thermore, if a function requiring shorter R were used for 
privacy amplification (e.g. that of (sij), the rate increase 
with k is potentially greater. 

Even if such tests do improve the rate of random string 
expansion, though, there are trade-offs. Firstly, more 
devices are needed and, secondly, it seems likely that a 
longer initial private string is required in order to achieve 
a given level of security. The intuition behind this second 
statement comes from considering a classical attack. For 
a GHZ test, a classical attack can escape detection with 
probability | per test, while in the kth generalization, 
this increases to 



4fc-l 
4k 



One could also use a test based on the CHSH correla- 
tions |3J], as considered in [3. CHSH-based protocols 
do not have the convenient cheat-detection property that 
protocols based on GHZ correlations (and their general- 
izations) possess in the noiseless case: for tests based 
on CHSH correlations one can never be completely cer- 
tain that cheating has been identified. Nor do they have 
the appealing property that correlation tests can be di- 
rectly used as new random bits in the case where Eve 
is honest. These features of GHZ-based protocols have, 
at least, some pedagogical value, allowing as they do a 
simple explanation of the basic idea of random string ex- 
pansion. However, as far as we are aware, it is generally 
an open question to identify which class of Bell violation 
allows the most efficient private randomness expansion 
protocols for a given set of parameters \X\, S and for 
a given costing of the various cryptographic and physical 
resources involved. 



VI. DISCUSSION 

Private randomness expansion may be a useful prim- 
itive on which to base other protocols in the untrusted 
device scenario. More fundamentally, we can think of na- 
ture as our untrusted adversary which provides devices. 
One could then argue that our protocols strengthen the 
belief that nature genuinely generates randomness^°. 

The untrusted devices scenario is a realistic one, and 
seems likely to become important if quantum computers 
or quantum cryptosystems become widespread. Ordi- 
nary users will not want to construct their own hardware 



A word of caution: at present Theorem [T] is only proven to hold 
in the case that the randomness used to choose the function is 
perfectly uniform and perfectly uncorrelated with S and E. 



Of course, this assumes both that nature is constrained by the 
no-signalling principle and that we can generate some initial ran- 
domness uncorrelated with nature's subsequent behaviour: it is 
impossible to rule out cosmic conspiracy. 
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and will instead turn to suppliers, just as users of clas- 
sical computers and encryption software do today. The 
protocols in this paper are designed with the ultimate 
aim of offering such users a virtual guarantee that the 
devices supplied are behaving in such a way that their 
outputs are private and random. 

Finally, we note the possibility of the given proto- 
cols being secure even against an adversary who is not 
bound by quan tum theory. As BHK first showed ([sf; 
see also |10l - [l2| ). quantum key distribution protocols can 
be provably secure even against such an adversary, pro- 
vided certain signalling constraints can be guaranteed. In 
the case of our private randomness expansion protocol, 
the post-quantum adversary is analogously constrained: 
we assume that Bob can ensure there is no signalling be- 
tween any of the devices held separately in his laboratory, 
nor between any of them and Eve. It is a further open 
problem to provide a security proof in this scenario. 

We expect that, if additional private randomness can 
be securely generated by our protocol in this post- 
quantum scenario, it will be at a lower rate than in the 
quantum case, since Eve has more general attacks avail- 
able. 

For instance. Eve can exploit the power of so-called 
non-local (NL) boxes — hypothetical devices that max- 



imally violate the CHSH inequality. In the notation 
introduced in Section III Bl the device's outputs satisfy 
P1P2 = -1 and piq2 = P2qi = qiq2 = 1 [Ullll. By 
using NL boxes. Eve can always know the output of one 
of the devices. For example, if she sets the third device 
to output 1 and the first two to obey the NL box condi- 
tions given above, she will always pass a GHZ test. It is 
therefore clear that at most one bit of private random- 
ness would result from each test (rather than close to two 
bits if Eve uses a quantum strategy) . 
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Appendix 

The technique that we follow here is based on that used 
to find the complete set of states and measurements pro- 
ducing maximal violation of the CHSH inequality [36|. 



We seek the complete set of tripartite states (in fi- 
nite dimensional Hilbert spaces), and two-setting mea- 
surement devices that output either 1 or —1, such that, 
denoting the observables measured by device i by Pi and 
Qi, we have 



Pl«)P2«)P3|*) = - I*) 

A®Q2®Q3|4') = I*) • 



(8) 
(9) 
(10) 
(11) 



Here |^) is the tripartite state. (We consider the case of 
pure states since the mixed state case follows immediately 
from it.) We then have 

F\^) = ^{Pi®Q2®Q3 + Qi®P2®Qs+ (12) 
Qi®Q2®P3-Pi®P2®P:i)\'^) = l^-). 



1 4') is thus an eigenstate of F with eigenvalue 1, so that 
F'^\^) = \^). This is equivalent to 

(i[A,Qi] ®i[P2,Q2\ ® t + i[Pi,Qi] ® l(^i[P3,Q3] + 
1 ® i[P2, Q2] ® i[P3,Q3]) I*) = 12 I*) , 

where [P, Q] :— PQ — QP is the commutator of P and 

Q- 

The maximum eigenvalue of i[Pi, Qi] is 2, hence 

«[A,Qi]«'j[A,Q2]«>l|*) =41*) (13) 

and similar relations for the other permutations. We 
hence have «[A, Qi] (Xi 1® 1 1*) = 2 \^) from which it fol- 
lows that (*! (^|A,Qi| ® a ® 1) I*) = 0, and hence 
that (^|A,Qi} «) 1 ® 1) I*) = 0, where {P,Q} := 

PQ + QP is the anti-commutator of P and Q, and we 
use that Pi and Qi have outcomes ±1 and hence satisfy 
P^W^lyj) and Qf j^;) = 

Consider the following Schmidt decomposition: \'^) — 
1*1) 1*23), where > V j, and n is the dimen- 
sionality of the first system. Then, if Ai ^ V i, the 

{\ii)} are n eigenstates of |A,Qi|, each having eigen- 
value 0. Since there are only n eigenstates, we must have 

{A,Qi} = 0. 

If some of the Ai are zero, then we can define a projec- 
tor onto the non-zero subspace. Call this Hi, and define 
Pi = IIiPiIIi and qi = niQiIIi. Similarly, define pro- 
jectors 112 and 113, and hence operators p2, Q2 and ■p3, (73 
by taking the Schmidt decomposition for systems (1,3) 
and 2, and (1,2) and 3, respectively. It is then clear that 



1 



(pi ® (72 ® 93 + gi ® P2 ® 93 + 91 ® 92 ® P3 - 
Pi ®P2®P3) I*) = I*) 
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holds for the projected operators, and hence, these satisfy 
{Pi,Qi} = for z = 1,2,3. 

The relations, pf = 1, qf = 1, {pi,qi} = then ap- 
ply for the Hilbert space restricted by {11^}. These im- 
ply that Pi , Qi and ^ [cji , pi] transform like the generators 
of SU(2). The operators may form a reducible repre- 
sentation, in which case we can construct a block diag- 
onal matrix with irreducible representations on the di- 
agonal. The anti-commutator property means that only 
the two-dimensional representation can appear, hence we 
can always pick a basis such that pi = 'SLdi (81 cr^i and 
Qi — Id; ® CTyi for some dimension, di, of identity matrix. 
Our state then needs to satisfy l^i (?) ctxI Ida (? '^x2 (8) 
^da'SxJxsl'^) = ^1^)7 and similar relations for the other 
combinations analogous to (P Hll|) . By an appropriate 
swap operation, this becomes 



etc., which makes it clear that the system can be divided 
into subspaces, each of which must satisfy the GHZ re- 
lation (jl2p . In an appropriate basis, we can write 



I*) 



/ ai IV'GHz) 

0-2 IV'GHZ) 

V 



where |^ghz) — -^(|000) — |111)), and the complex co- 
efficients {ttj} simply weight each subspace and satisfy 
J2j kiP — 1- (Note that \tpj) = IV'Ghz) is the only solu- 
tion to {axl (8) Cry2 ® (Jy3 + ayi (g) ax2 <8' CTyS + fyl <8) CTy2 ^ 

crx3 - cTxi ® crx2 ® o-xs) IV'j) = 4 IV'j), up to global phase.) 

We have hence obtained the complete set of states and 
operators satisfying ([51 [TT|) . up to local unitaries. 



